We are excited to share the much-anticipated release of Suricata 7!
This has been a longer release cycle than usual for Suricata. We’ve come a long way. Among other reasons, we’d like to acknowledge the impact the pandemic has had on all of us.
Prior to this major release, we shared two release candidates so you, our community, could report your findings with us. Now, it’s time to share the result of all that joint effort with you all.
Our last major version came out in October 2020, and since then, we have been working hard to bring new, promising features to this version, alongside performance improvements and support for more protocols and rule keywords. We have highlighted some of those below.
Main features:
- DPDK IDS/IPS support for primary mode was added
- AF_XDP IDS support by Richard McConnell at Rapid7
- HTTP/HTTP2 new keywords for header inspection
- TLS: client certificate logging and detection
- Bittorrent parser by Aaron Bungay
- IPS: new default DROP behavior for exception policies
- EVE documented and validated with a json schema
- HTTP/2 support is no longer considered experimental
- NETMAP API 14
- Conditional PCAP by Eric Leblond and Scott Jordan
- Initial libsuricata support
- VLAN support extended from 2 to 3 layers
Performance improvements:
- file.data MPM split per app protocol
- New lighter rule profiling mode by Eric Leblond
- SMB: many fixes and optimizations
- Hash calculation using Rust crypto instead of NSS
- Flow manager tuning
- Many more performance-related counters
- Stream buffer, which is used by stream engine, file tracking, and more, is more memory efficient
Secure Deployment / Security
- Linux Landlock support added by Eric Leblond
- Use of
setrlimitto prevent Suricata from creating another process - Lock cargo crates
- Default to secure settings for Datasets and Lua
- Maximum number of transactions for several protocols
- New Security Policies: https://github.com/OISF/suricata/blob/master/SECURITY.md
Protocols
- QUICv1, GQUIC support added. GQUIC contributed by Emmanuel Thompson
- PostgreSQL support added
- HTTP/2 deflate decompression, byte-ranges support
- VN-Tag support
- Modbus rewritten to Rust with Eve logging added by Simon Dugas
- IKEv1 support added by Sascha Steinbiss and Frank Honza
- ESP flow tracking and logging
- Minimal telnet parser
- Active flow and TCP counters
- Network service header
- Remove dependency on system’s /etc/protocols
Rules
- Added new rule keywords for DHCP, Kerberos, SNMP, TLS, QUIC
- JA3(s) support for QUIC
- New (experimental) class of keywords through “frames API”: NFS, SMB, DNS, telnet, SSL/TLS
- HTTP request files and NFS now support file.data
- “XOR” transform was added
- Lua: access to more rule info
- The byte_test, byte_math, and byte_jump keywords allow a variable name for the byte count value.
- flow.age keyword was added
IPS
- Exception Policies added to better control packet handling in such conditions as memory caps being hit
- DPDK support
Socket Control
- Get flow stats over Unix socket
- Datasets management commands were added
Output
- Conditional packet capture allows packets to be written to disk only after an alert has been triggered
- New “stream” eve output type for debugging the stream engine
- Log engine verdict on rejected/dropped/passed packets
Dev corner
- Total: 1375 files changed, 130027 insertions(+), 127626 deletions(-)
- Rust: 173 files changed, 39279 insertions(+), 13830 deletions(-)
- C: 978 files changed, 73882 insertions(+), 109446 deletions(-)
- Docs: 142 files changed, 6636 insertions(+), 1890 deletions(-)
- Much stricter C compiler flags.
- Clang’s scan-build clean, which is enforced in CI.
- CI was expanded.
- Rust parsers upgraded to using Nom 7
Upgrade notes:
- Suricata 7.0 now uses pcre2 instead of pcre1.
- The MSRV (minimum supported Rust version) has been updated to 1.63.0 from 1.41.1 minimum in Suricata 6.0.
- Support for Prelude (libprelude) has been removed
- Suricata 7.0 requires and bundles libhtp 0.5.45
Read more: Upgrading from 6 to 7
Special Thanks
Oss-Fuzz, Coverity, Outreachy.
Outreachy interns: Tharushi Jayasekara, Sam Muhammed, Modupe Falodun, Haleema Khan
Community: Aaron Bungay, Alex, Alice Akaki, Andreas Dolp, Andreas Herz, Andrei Shchapaniak, Angelo Mirabella, Antti Tönkyrä, Arne Welzel, BACK Yonah, Bazzan Don, Benjamin Wilkins, Carl Smith, Catena cyber, Cole Dishington, Daisuke Fujimura (fd0), Daniel Young, David Beckett, David Korczynski, Eloy Pérez González, Emmanuel Thompson, Eric Leblond, Frank Honza, Gabriel Lima Luz, Gianni Tedesco, Gleb Smirnoff, Ilya Bakhtin, JacobRoed, Janani Ramjee, Jascha Sticher, Jason Taylor, Jeremy MountainJohnson, Joe Atzberger, John Dewey, Josh Soref, Joshua Lumb, Justin Azoff, Justin Ossevoort, Kevin Reed, Kevin Wang, Kirby Kuehl, Kristina Jefferson, Lancer Cheng, Long Doan, Luke Coughlan, Mats Klepsland, Maxim Korotkov, Michael Smith, Michael Tremer, Morris Chan, Odin Jenseg, Pierre Chifflier, Rafael Girão, Richard McConnell, Riju, Sascha Steinbiss, Scott Jordan, Simeon Miteff, Simon Dugas, Steven Ottenhoff, Sumera Priyadarsini, Thomas Norheim, Thomas Winter, Todd Mortimer, Travis Green, Vladimir Ivchenko, Wes Hurd, William Correia, William Harding, liaozhiyuan, myr463, showipintbri, tianjinshan.
About Suricata
Suricata is a high-performance Network Threat Detection, IDS, IPS, and Network Security Monitoring engine. Open source and owned by a community-run, non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors, and the community.